Re: [OAUTH-WG] draft-ietf-oauth-token-exchange comments (RESTful / OIDC claims)
Brian Campbell <bcampbell@pingidentity.com> Tue, 11 December 2018 18:21 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E0BC130EF1 for <oauth@ietfa.amsl.com>; Tue, 11 Dec 2018 10:21:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJ5CiVEGozYY for <oauth@ietfa.amsl.com>; Tue, 11 Dec 2018 10:21:38 -0800 (PST)
Received: from mail-it1-x134.google.com (mail-it1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39E6F130EDF for <oauth@ietf.org>; Tue, 11 Dec 2018 10:21:38 -0800 (PST)
Received: by mail-it1-x134.google.com with SMTP id b5so5449839iti.2 for <oauth@ietf.org>; Tue, 11 Dec 2018 10:21:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iVzx1ovfQQuXMw2wrmzKa5OU3OMDVMF7irbZljJDYYo=; b=FL+V+ddVN0jUYzSkNx6RuSjBjQXvr5cQALLRVnn6GgHnMGzNZZFqSBS92hvVtMY9Rd B0r5ycl93XMOkm3Ee1Tpkdd4qXz9ZN6JaWpq+KePQf/P2CgY8eAwcaULKtn+EOY+MDtR RRFrmbSEQIvSV1e2795bEQXwVpunhajzT7jmo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iVzx1ovfQQuXMw2wrmzKa5OU3OMDVMF7irbZljJDYYo=; b=b9GviiLonWDDqI4yHsurDRyva92CZNzCmMArGafZzFBeqxLyPtviEuVt0hJtUwneEt MEnklYwugCcsiBumRkCZCoV+fNEAXNGa4aKlvZDmt7B9C1Y9Nn5xDW/aFY6VDDuC8r3T 3JfA0sKjmiQgx0hDH6adFrHNEUJukqLEt6/leNh8uVOfzzLQDEKBwUEHGaZt4Y+WtkNn DHKF5aCbppt/u8NaMzvhACKNac1ebI15ITb0I4oNUW19VljhqV7dn9Whg+KFf2N8IqZu Q/yCTj+vRcmnZ1+n6JnOKmAByLaCZL1r2fWIIVMp7+5CDCfGXRCYrutRsbxrr2ZlJE4/ dr0g==
X-Gm-Message-State: AA+aEWbbEjhg7NL3m/etEh1FWWW9CFqhpTXSoUb6h3c5AR7iNqPBk5gK FgspjZdYngHmdNCmvE4Ybglq77QyY7GMG3R7CI//5iuvAJzn+hRvyH3jWqwiY9RiXtwCfdkXmd7 UW2bwcvDJyj/rHg==
X-Google-Smtp-Source: AFSGD/UwYHxK4Zo1BFTdb17Lz6kcpHZFWvXuj+9GESFn6TCxWNgFD/Er+lv+4lU+avJKF9ZWjZEckXaKdW8bwRTiLIc=
X-Received: by 2002:a02:5f9d:: with SMTP id x29mr17350767jad.28.1544552497273; Tue, 11 Dec 2018 10:21:37 -0800 (PST)
MIME-Version: 1.0
References: <1544038181.296618.1600075520.5A927769@webmail.messagingengine.com>
In-Reply-To: <1544038181.296618.1600075520.5A927769@webmail.messagingengine.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 11 Dec 2018 11:21:10 -0700
Message-ID: <CA+k3eCSQczsMx5XLHms_wgT1ZmqV9GCJ=Bns9yAhU0v63EGA=A@mail.gmail.com>
To: ietf@lists.joshka.net
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f0142c057cc32602"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FhfoNOTTmj8pVWy4MtojA9bLpBo>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-token-exchange comments (RESTful / OIDC claims)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 18:21:40 -0000
The OAuth framework itself isn't particularly RESTful so it's not really specific to token exchange. This document just makes mention of it in the context of talking about the shift from XML/SOAP/WS* to JSON/HTTP as one of the motivations for its existence. There's nothing precluding sending additional parameters. In general, OAuth says to ignore unrecognized parameters, which allows for extensions or proprietary additions. On Wed, Dec 5, 2018 at 12:29 PM Josh McKinney <ietf@lists.joshka.net> wrote: > Hiya, > > In section 1: > > The STS > protocol defined in this specification is not itself RESTful (an STS > doesn't lend itself particularly well to a REST approach) but does > utilize communication patterns and data formats that should be > familiar to developers accustomed to working with RESTful systems. > > A colleague expressed concern that token exchange can not be RESTful. > Given that the token exchange endpoint defined here is the same as the > token endpoint, is this a restatement that this endpoint itself is not > RESTful as opposed to a different change. AFAICT, none of the other OAuth > RFCs mention RESTful concerns. > > In Section 2.1: > Regarding exchanging an access token for an id token, OIDC allows the > caller to provide a claims parameter to specify the specific claims > returned in an id token. See > https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter > I'm not sure that this spec explicitly constrains parameters to be passed > to this method, but it also doesn't have any language to suggest that it > will allow extended parameter lists to be passed and interpreted by the > auth server. > > > -- > Josh McKinney > joshka.net > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] draft-ietf-oauth-token-exchange commen… Josh McKinney
- Re: [OAUTH-WG] draft-ietf-oauth-token-exchange co… Brian Campbell